The approach to manual source code analysis will vary depending on whether we choose to begin with the examination of sources or sinks. Data enters an application through a source, and is used (or operated on) in a sink.

Top Down Approach

In a top down approach, we would identify sources first. If we do not have authenticated access to the web application, we would obviously begin searching for vulnerabilities in unauthenticated resources. Tracing the application flows to their respective sinks, we would then attempt to identify any sensitive functionality and determine what controls are in place (such as input validation).

Bottom Up Approach

In a bottom up approach, we would first identify sinks. Our goal would be to determine if any sinks contain vulnerabilities and what variables or values the vulnerable code uses. We would then need to determine how the application calls the vulnerable function and trace the application flow back to a source. As with the top down approach, we need to be mindful of any filters or input sanitization that might affect the payload needed to exploit the vulnerable function.

Tradeoffs Of A Bottom Up Vs A Top Down Approach

A bottom up approach is more likely to result in higher-severity vulnerabilities with a lower likelihood of exposure. A top down approach, however, is likely to uncover lower-severity vulnerabilities with a higher likelihood of exposure. For example, vulnerabilities discovered during a bottom up approach might allow admin users to gain remote code execution. On the other hand, vulnerabilities discovered in a top down approach might allow any user to exploit cross-site scripting.

Some of the things we should be looking for during code analysis:

• After checking unauthenticated areas, focus on areas of the application that are likely to receive less attention (i.e. authenticated portions of the application).
• Investigate how sanitization of the user input is performed. Is it done using a trusted, open-source library, or is a custom solution in place?
• If the application uses a database, how are queries constructed? Does the application parameterize input or simply sanitize it?
• Inspect the logic for account creation or password reset/recovery routines. Can the functionality be subverted?
• Does the application interact with its operating system? If so, can we modify commands or inject new ones?
• Are there programming language-specific vulnerabilities?